EP2166455A1 - Method and apparatus for automation of verification procedures for airplane equipment - Google Patents

Abstract

The method involves receiving a testing or evaluating command for testing or evaluating a configuration of an equipment through a network interface i.e. Ethernet interface, and coding the received testing or evaluating command. The coded command is transmitted to a secured part of an embarked information system of an aircraft. A coded test command is filtered in response to the received coded command. The coded command is translated and executed in relation with a maintenance function in response to the filtering of the coded test command. Independent claims are also included for the following: (1) a computer program comprising instructions for implementing an equipment configuration testing or evaluating method (2) a device comprising units to implement steps of an equipment configuration testing or evaluating method.

Description

The present invention relates to maintenance operations and functional tests carried out in aircraft and more particularly to a method and a device for automating, in a secure manner, the verification procedures of equipment in an aircraft from a remote station, on line assembly or during the operation of the aircraft, using the on-board information system and its topology.

To optimize the reliability of aircraft and increase their profitability, online maintenance operations are frequently implemented between flight phases.

In general, such operations consist, for example, for maintenance operators in verifying the hardware and software configuration of the aircraft systems, analyzing data stored during the flight (continuous monitoring), modifying certain parameters of the aircraft or some software data, launch test software applications and / or control the software configuration change following a download operation.

The analyzed data are often derived from sensors and stored in a central diagnostic and storage device accessible through a human-machine interface type MCDU (abbreviation of Multi-Control Display Unit in English terminology) or OMT ( Onboard acronym Terminal Maintenance in English terminology). This interface, through which interactive operations can be launched, makes it possible to analyze the stored data, to access the parameters of the aircraft and more generally to perform test and maintenance functions. As an illustration, the Airbus A320, A330 and A340 are equipped with MCDU and the Airbus A380 is equipped with OMT (Airbus, A320, A330, A340 and A380 are trademarks).

Access to aircraft maintenance systems is generally limited to fixed physical stations embedded in the cockpit. Thus, when the aircraft is on the ground, a maintenance operator can board the aircraft to access and analyze the stored data, possibly modify the parameters thereof and launch test applications.

In order to ensure the sequence of tasks in an optimized manner, the current devices generally require the permanent presence of an operator to verify that the operations went well.

Alternatively, to meet growing demand from airlines to reduce online maintenance time, mobile stations are used. The latter, whose role is similar to MCDU or OMT type interfaces, are connected to the central diagnostic and storage device via connection sockets connected to the network of the aircraft.

The figure 1 illustrates an example of an aircraft 100 comprising a central diagnostic and storage device 105 connected, via a communication network (not shown), to a fixed line maintenance station 110 installed in the cockpit.

The device 105 is connected to all the systems of the aircraft generating maintenance messages, for example to sensors (not shown) for controlling the engines and the actuators of the landing gear and the control surfaces.

Thus, when the aircraft 100 is on the ground, a maintenance operator can, using the fixed station 110, analyze the flight data of the aircraft and modify its parameters.

Although this solution meets the expectations of the airlines, it is necessary to use a wired link between an aircraft and a station to perform online maintenance operations. Such a constraint notably has the effect of slowing down the duration of maintenance operations and, consequently, of increasing the operating costs of the aircraft.

To overcome these drawbacks, there are diagnostic systems using wireless communication technology according to which the data from the sensors are directly transmittable to the mobile online maintenance station. For example, the patent EP 1 306 305 discloses a system in which sensors are connected to data storage and transmission devices. Thus, on request, a mobile station can obtain flight data.

However, such a system is limited to the access to the data without allowing modification of the parameters of an aircraft and requires the use of several storage and transmission devices.

Similarly, during assembly of aircraft, final assembly line teams rely on interactive maintenance tools to perform all or part of the functional tests of the aircraft and configuration follow-up throughout from the manufacturing process to the delivery of the aircraft.

However, despite the performance of the maintenance stations, there is no way to automate certain tests.

Indeed, while some maintenance stations onboard the aircraft can be connected to a communication network for the exchange of data between the aircraft and remote equipment, the network connection does not remotely control applications implemented on board the aircraft or to transmit data to these applications for security reasons.

The invention solves at least one of the problems discussed above.

• réception d'au moins une commande de test ou d'évaluation de la configuration dudit au moins un équipement via ladite interface réseau ;
• codage de ladite au moins une commande reçue ;
• transmission de ladite commande codée à ladite partie sécurisée dudit système d'information dudit aéronef ;
• en réponse à la réception de ladite commande codée, filtrage de ladite au moins une commande de test codée ; et,
• en réponse à ladite étape de filtrage, traduction et exécution de ladite commande codée en relation avec ladite au moins une fonction de maintenance.

The subject of the invention is thus a method for testing or evaluating the configuration of at least one piece of equipment in an aircraft, said aircraft comprising an onboard information system, said information system comprising a secure part and a part less secure, said less secure portion comprising a network interface adapted to exchange data with an information system external to said aircraft, said secured part comprising at least one maintenance function, this method comprising the following steps,

• receiving at least one test command or evaluating the configuration of said at least one device via said network interface;
• encoding said at least one received command;
• transmitting said coded command to said secure portion of said information system of said aircraft;
• in response to receiving said coded command, filtering said at least one encoded test command; and,
• in response to said step of filtering, translating and executing said coded command in relation to said at least one maintenance function.

The method according to the invention thus allows the execution of a maintenance function in a secure part of an information system of an aircraft from a remote station, without compromising the security of this part of the aircraft. information system, using the existing information system and its topology.

Advantageously, the method further comprises a step of determining a result in response to said execution of said at least one command and a step of transmitting said result to said external information system to said aircraft via said communication interface to enable said at a remote station to receive and analyze the result of a function performed in a secure part of an information system of an aircraft.

According to a particular embodiment, said step of transmitting said result comprises a step of transmitting said result of said secure part of said information system of said aircraft to said less secure part of said information system of said aircraft and a step of transmitting said result. from said less secure part of said information system of said aircraft to said information system external to said aircraft. The method according to the invention thus makes it possible to use the existing information system and the topology of an aircraft to execute a maintenance function in a secured part of an aircraft information system and obtain the result of this execution.

Still according to a particular embodiment, said less secure portion comprises at least one second maintenance function, distinct from said at least one maintenance function, called at least one first maintenance function, the method further comprising an evaluation step said at least one command adapted to determine if said at least one command is intended for said secure part or for said less secure part of said information system of said aircraft, said coding, filtering transmission, translation and transmission steps; execution of said at least one command being executed if said at least one command is for said secure part of said information system of said aircraft. The method according to the invention thus makes it possible to optimize the processing of the commands for executing maintenance functions according to the recipient of these commands.

Advantageously, the method furthermore comprises, if said at least one command is intended for said less secure part of said information system of said aircraft, a step of executing said at least one command received in relation to said at least one second maintenance function. Said at least one received command is preferably coded prior to its execution.

According to a particular embodiment, the method further comprises an initial step of establishing a secure communication channel between said information system of said aircraft and said external information system to said aircraft to enable the exchange of data and to improve the security of data transmissions between a remote station and the aircraft information system.

The invention also relates to a computer program comprising instructions adapted to the implementation of each of the steps of the method described above, a device comprising means adapted to the implementation of each of the steps of the previously described method and an aircraft comprising such a device.

• la figure 1 représente un aéronef comprenant un poste fixe de maintenance permettant d'analyser les données de vol de celui-ci et d'en modifier les paramètres selon un schéma standard ;
• la figure 2 représente schématiquement un exemple d'environnement dans lequel la présente invention peut être mise en oeuvre ;
• la figure 3 illustre l'architecture des dispositifs mis en oeuvre dans l'environnement représenté sur la figure 2 ;
• la figure 4 illustre schématiquement l'algorithme mis en oeuvre dans le système d'information d'un aéronef, conformément à l'invention, pour permettre l'automatisation de tests en ligne d'assemblage final de l'aéronef et/ou l'automatisation d'opérations de vérifications périodiques exécutées par la compagnie aérienne exploitant l'aéronef ;
• la figure 5 représente partiellement une trame Ethernet sur laquelle un filtrage peut être effectué ;
• la figure 6 représente une table ASCII et plus particulièrement des caractères pouvant être utilisés pour transmettre une commande de la partie non sécurisée à la partie sécurisée d'un système d'information d'un aéronef, sans compromettre sa sécurité ;
• la figure 7 illustre un exemple de table de correspondance pouvant être utilisée par un module de conversion pour établir des liens de correspondance entre des commandes et des instructions ; et,
• la figure 8 illustre un exemple de dispositif adapté à mettre en oeuvre l'invention ou une partie de l'invention.

Other advantages, aims and features of the present invention will emerge from the detailed description which follows, given by way of non-limiting example, with reference to the accompanying drawings in which:

• the figure 1 represents an aircraft comprising a fixed maintenance station making it possible to analyze the flight data thereof and to modify the parameters thereof according to a standard diagram;
• the figure 2 schematically represents an example of an environment in which the present invention can be implemented;
• the figure 3 illustrates the architecture of the devices implemented in the environment represented on the figure 2 ;
• the figure 4 schematically illustrates the algorithm implemented in the information system of an aircraft, according to the invention, to enable the automation of final assembly line testing of the aircraft and / or the automation of the aircraft. periodic check operations performed by the airline operating the aircraft;
• the figure 5 partially represents an Ethernet frame on which filtering can be performed;
• the figure 6 represents an ASCII table and more particularly characters that can be used to transmit a command from the unsecured part to the secure part of an information system of an aircraft, without compromising its security;
• the figure 7 illustrates an exemplary lookup table that can be used by a conversion module to establish correspondence links between commands and instructions; and,
• the figure 8 illustrates an exemplary device adapted to implement the invention or a part of the invention.

According to a particular embodiment, the invention implements a system composed of the information system of the aircraft, comprising communication means such as IP communication means (abbreviation of Internet Protocol in English terminology) , and a remote station or an automatic test station located, for example, on the ground. This system allows to ensure the automation of tests and the verification of the configuration of the logical systems of an aircraft.

The remote station or the automatic test station is connected to the on-board information system via a secure network such as an Ethernet network.

Securing the connection can be ensured, for example, by a ground element integrated in the airline network adapted to implement a secure tunnel. The technology used should preferably allow to maintain a high level of security throughout the life of the aircraft.

To access the on-board maintenance functions from a remote station or a test station, it is necessary to establish a secure connection between a server on the ground and the embedded component that manages the communication means of the aircraft. When the tunnel is established, activities can be conducted from the remote station or the test station.

The figure 2 schematically represents an example of an environment in which the present invention can be implemented. It is here illustrated an aircraft 200 comprising a maintenance device 205, for example containing centralized diagnostic and storage tools, connected to a network connection socket 210 accessible, in this example, from outside the aircraft. The network connection socket 210 is here connected to the network 215 implementing, for example, the IP protocol.

The device 205 is connected to all the systems of the aircraft generating maintenance messages, for example sensors (not shown) for controlling the engines and actuators of the landing gear and the control surfaces.

An on-line maintenance remote station 220, for example placed in a maintenance center 225, is connected to the device 205 via the communication network 215 and the socket 210.

Thus, when the aircraft 200 is on the ground, during its assembly or operation, a maintenance operator can, using the remote station 220, analyzing the aircraft data, modifying its parameters and / or controlling the execution of the maintenance application modules implemented therein.

Although the connection between the aircraft 200 and the network 215 is here wired, wireless communication technologies such as WiMax and / or WiFi can be used. In this case, the aircraft comprises wireless communication means adapted to establish communication with a compatible device located on the ground, in a satellite or in all types of vehicle, this device being itself connected to the network 215.

The figure 3 illustrates more precisely the architecture of the devices implemented in the environment represented on the figure 2 . The reference 300 here designates the systems on board the aircraft while the reference 305 designates the remote systems belonging, for example, to the maintenance control center, also called MCC (acronym for Maintenance Controi Center in English terminology). , the maintenance information system, also called MIS (acronym for Maintenance Information System in English terminology) or the final assembly center.

The remote system comprises a remote station or a test station 310, for example a PC-type portable computer (acronym for Personal Computer in English terminology), and a server 315 making it possible to establish data communication with the computer system. embedded information 320 of the aircraft through the network 325.

Two types of data can be processed by the remote station or the test station: the data from the aircraft and the command data for managing the tests.

The onboard information system 320 of the aircraft is connected to the avionics systems 330, for example the flight control systems, the autopilot and the environmental monitoring systems, and to the commercial world systems 335, said open, "unlike the avionics world, because of the origin of the processed data.

Furthermore, the on-board information system 320 comprises two parts, a highly secure part 340, called a trusted world, and a less secure part 345, called connected world.

The less secure portion 345 includes a communication module 350 adapted to receive and transmit data from and to the network 325. The communication module 350 is connected to a maintenance application module 355 which itself comprises a coding module 360 used to encode the data to be transmitted to the secure part 340 of the on-board information system 320.

The secure portion 340 includes a filtering module 365 adapted to control the data transmitted by the less secure portion 345.

The secure portion 340 further comprises a maintenance application module 370 itself comprising a conversion module 375 adapted to convert the data received from the filtering module 365 so that they can be used by the maintenance application module 370.

As illustrated, the maintenance application module 355 of the less secure part 345 is connected to the commercial systems 335 while the maintenance application module 370 of the secured part 340 is connected to the avionic world systems 330.

The figure 4 schematically illustrates the algorithm implemented in the information system of an aircraft, according to the invention, to enable the automation of final assembly line testing of the aircraft and / or the automation of the aircraft. periodic verifications carried out by the airline operating the aircraft.

The reference ① here designates the part of the algorithm implemented in the unsecured part of the aircraft information system, the reference ② designates the part of the algorithm implemented in the secure part of the aircraft system. information of the aircraft, the reference ③ designates the functions implemented in the world of confidence, that is to say here the avionics, and the reference ④ designates the functions implemented in the commercial world.

After receiving a command (step 400) from a remote station or from a test station via, for example, a previously established secure communication tunnel, a test is performed (step 405) to identify the recipient of the command received .

If the recipient of the received command is located in the trusted world, the command is encoded (step 410) to make it compatible with the filter used at the input of the secured portion, and then transmitted thereto (step 415). The exchange of command and / or data between the secured and unsecured portions is preferably performed via a dedicated internal network.

The coding consists, for example, in coding the commands in the form of frames having a format and / or predetermined characteristics. The filtering then consists in checking this format and / or these characteristics.

As indicated above, when the secure part of the aircraft information system receives a command from the unsecured part, the received command is filtered (step 420) using a robust filter. Orders that do not comply with the predetermined criteria of the filter are rejected. The filtered commands are converted or translated (step 425) by a translation module of the secure part to allow their execution by the intended maintenance function.

The requested maintenance function, for example an interactive test management module or a test configuration management module, executes the command received or manages its execution and preferably sends a response, for example a configuration or a result, to the command translation module that constructs a corresponding file. This file is then transmitted (step 430) to the maintenance function of the unsecured part of the information system of the aircraft which transfers the received information to the remote station (step 435).

If the recipient of the received command is located in the connected world, the command is encoded (step 440) in a standard way to make it compatible with the protocols used in the connected world systems.

The requested maintenance function, for example an interactive test management module, executes the received command (step 445) or manages its execution. If a response is determined, for example a configuration or result, it is transmitted to the remote station (step 435).

The algorithm illustrated on the figure 4 allows to implement different scenarios of tests and / or verification during the final assembly and / or during the operation of the aircraft.

According to a first example, the procedure for carrying out a sequence of automatic tests in the avionics is the following (although such a test sequence is here carried out on the final assembly line of the aircraft, an equivalent sequence can be used during the operation of the aircraft).

A test application, hosted by the remote station, first sends a boot command on the network to an element of the hosted maintenance function in the connected world. After having received it (step 400) and having determined that this command is intended for the secure part of the aircraft information system (step 405), the element of the maintenance function encodes the command to make it compatible. with the robust filter (step 410). The coded command is then transmitted to the filter of the secure portion (step 415).

After being filtered (step 420) and if it has not been rejected, the command is translated and transmitted to the corresponding maintenance function of the secure part to be executed (step 425). The requested maintenance function, here the interactive test management module, executes the command received and, in response to the initialization command, transmits its configuration to the command translator which constructs, for example, a corresponding file.

The file is then sent to the connected world's maintenance function (step 430) which in turn transmits the file to the remote station (step 435).

The remote station verifies that the resulting file conforms to the initialization command. If so, the remote station constructs the following command to initiate a test action and transmits it to the aircraft information system. If the result is not correct, an error message is logged.

After having received a first test command (step 400) and determined that it is intended for avionics (step 405), the maintenance function of the unsecured part of the information system of the aircraft codes the command (step 410) to make it compatible with the filter of the secure part and transmits it to the latter (step 415).

After having been filtered (step 420), the command is translated to enable the maintenance function, here the interactive test management module or the equipment configuration management module of the aircraft, to start the test (step 425). ). The target (s) perform the test and, if applicable, the maintenance function calculates the test result. The result is transmitted via the command translator which, for example, constructs a file corresponding to the maintenance function of the unsecured part of the information system of the aircraft (step 430) which transmits it to the remote station ( step 435).

The remote station can then analyze the test result file and save it.

To automate all tests in a scenario, the above sequence must be repeated for all affected targets.

The test command transmitted to the avionics can aim, in particular, a test as such, for example a functional test of a piece of equipment of the aircraft, or the management of the configuration of the equipment of the aircraft, in particular an element of avionics.

It should be noted that there are several methods for determining the configuration of the equipment of the aircraft. A first solution is to interrogate each target, that is to say each element tested. Alternatively, a second solution consists of accessing a configuration file determined and recorded by the maintenance function. According to this second solution, it is not necessary to analyze the equipment configurations during the test.

According to a second example, the procedure for carrying out a sequence of automatic tests in the connected mode systems and commercial is the following (again, this type of test is here performed in the final assembly line of the aircraft).

As before, a test command is transmitted over the network by the remote station which includes a test application to an element of the maintenance function hosted in the unsecured part of the information system of the aircraft. After being received (step 400) and after determining that the received command is for connected world systems (step 405), the maintenance function element codes the command (step 440) to make it compatible with the protocols connected world.

The target of the connected world performs the test (445). If a result is expected, the maintenance function element retrieves the test result and transmits it to the remote station (step 435) which can analyze the test result and record it.

To automate all tests in a scenario, the previous sequence is repeated for each target target.

As indicated above, the purpose of the filter is to filter the data received from the network in order to transmit only the correctly formatted data to the secure part of the information system of the aircraft.

The filtering module is preferably based on the sieve principle, that is to say on an iterative mechanism, in which several filter levels are used to optimize the processing times. It is thus composed of several elements making it possible to filter more and more finely the received data in order to pass only the data corresponding to the valid commands.

The filtering module requires that a command format be defined in order to process only a certain type of network frames. The format and the associated transport protocol can be defined as parameters, accessible to the filtering module. For example, such parameters may specify that the commands are received in the form of Ethernet frames, indicate the sources authorized to transmit such commands, maximum frame life beyond which frames are ignored and indicate the characters that can be validly used to encode a command in a frame.

As an illustration, the filtering of Ethernet frames can be done in three steps.

The figure 5 partially represents an Ethernet frame 500 on which filtering can be performed according to these three steps.

First, each frame is analyzed by checking, for example, the source 505 and destination physical addresses 510, in particular the MAC addresses (acronym for Media Access Control in English terminology), the protocol type 515 and the signature. 525 of the complete frame. The data 520 of the frame is not analyzed in this first step.

If the source physical addresses 505 and destination 510, the protocol type 515 and the signature 525 do not comply with the parameters of the filter module, the frame is rejected.

On the contrary, if the source physical addresses 505 and destination 510, the protocol type 515 and the signature 525 comply with the parameters of the filtering module, a second filtering step is implemented.

It should be noted here that the first step of filtering may relate to other data than those cited or, on the contrary, less data.

The second step consists, for example, in analyzing the header of the data 520. In particular, this second filtering step can consist in checking the IP version ( Internet Protocol acronym in English terminology) 525, the length 530 of the head, the type of service 535, the total length 540 of the data, the identification 545 used to reconstruct the fragments, the lifetime 550, also called TTL (acronym for Time To Live in English terminology), the protocol 555 and source addresses 560 and destination 565.

Again, if all this information does not conform to the parameters of the filter module, the frame is rejected. On the contrary, if all this information is in accordance with the parameters of the filtering module, a third filtering step is implemented.

It should be noted here also that the second filtering stage can relate to other data than those mentioned or, on the contrary, to less data.

The third step here is to analyze the characters of the useful data 570 of the frame. This step thus makes it possible to verify that the characters necessary for the construction of the command can not be used to build executable code. Advantageously, all the characters of the useful data must be chosen from the ASCII table, in the values between 032 and 090, as illustrated in FIG. figure 6 .

If a character of the payload 570 does not belong to the ASCII table, between the values 032 and 090, the frame is rejected. On the contrary, if all the characters of the payload 570 belong to the ASCII table, between the values 032 and 090, the frame is transmitted to the secure part of the information system of the aircraft to be processed.

Of course, the third stage of filtering can relate to other criteria, in particular more restrictive criteria.

The purpose of filtered command translation is to establish an interface between the maintenance functions and the network.

This module is preferably developed so that only the commands linked to instructions corresponding to maintenance functions implemented in the secure part of the information system of the aircraft have an action. This means that this module knows the instructions that can be executed by each application. In other words, a list of instructions or sequence of instructions is preferably previously stored. Such a list defines a set of configurations of possible sequences of instructions. This list can also define forbidden combinations.

This configuration is constructed in such a way that the sequence of instructions of an application is known a priori. This allows the conversion module to verify that the commands it receives and the sequence of associated instructions is consistent with what the application is supposed to perform. This check allows the conversion module to reject any unexpected sequence and thus ensures that dangerous operations can not be performed.

In a particular embodiment, the conversion module uses a correspondence table between command names and the actual functions, ie sequences of instructions, in order to associate one or more instructions with the names of the commands. commands received from the remote station. It should be noted here that instructions can take many forms. These are for example pointers to functions or commands interfaced with the operating system of the maintenance device. The instructions notably make it possible to simulate an action entered by a user on the interface of the maintenance device accessible in the aircraft.

The figure 7 illustrates an example of a lookup table 700 that can be used by the conversion module.

The correspondence table 700 here comprises two columns: a column 705 containing the names of the commands and a column 710 containing the list of instructions associated with each command.

Line 715 illustrates an example of a test command of a flight management device, called FMU (abbreviation of Flight Management Unit in English terminology). The name of the command that can be used by a maintenance operator from a remote station is TEST: FMU. As shown, this command corresponds to the execution of the instruction sequence including the Set_Param (a, b, c), AutoTest_FMU1 and AutoTest_FMU2 instructions.

After a command has been analyzed and declared compliant, the conversion module sends the corresponding instructions to the application concerned. The application executes the instructions and returns, usually, a response. This response is received by the conversion module which constructs a response message, preferably signed.

• l'opérateur entre la commande TEST : FMU sur le poste distant ;
• la commande TEST : FMU est transmise au système d'information de l'aéronef à travers un réseau de communication ;
• la commande reçue par l'aéronef est codée puis filtrée ;
• la séquence d'instructions correspondant à la commande filtrée est identifiée, ici les instructions Set_Param(a, b, c), AutoTest_FMU1 et AutoTest_FMU2 ;
• ces instructions sont transmises par une couche logicielle de type API (sigle de Application Programming Interface en terminologie anglo-saxonne) aux applications visées (comme si la commande avait été générée par des sélections de touches sur un poste fixe) ;
• les applications visées exécutent les instructions conformément à la commande et transmettent les résultats au module de conversion via la couche logicielle de type API ; et,
• le module de conversion forme un message de réponse, par exemple en construisant une page d'écran ou une partie de page d'écran comprenant les résultats, signe le message de réponse pour attester de l'origine et de l'intégrité de l'information fournie et transmet le message de réponse au poste distant via le réseau de communication.

By way of illustration, taking again the example illustrated on the figure 7 , the procedure for executing the instructions corresponding to the command TEST: FMU is as follows,

• the operator enters the command TEST: FMU on the remote station;
• the command TEST: FMU is transmitted to the information system of the aircraft through a communication network;
• the command received by the aircraft is coded and then filtered;
• the sequence of instructions corresponding to the filtered command is identified, here the instructions Set_Param (a, b, c), AutoTest_FMU1 and AutoTest_FMU2;
• these instructions are transmitted by a software layer type API (acronym for Application Programming Interface in English terminology) to the targeted applications (as if the command had been generated by key selections on a fixed position);
• the targeted applications execute the instructions in accordance with the command and transmit the results to the conversion module via the API type software layer; and,
• the conversion module forms a response message, for example by constructing a screen page or part of a screen page including the results, signs the response message to attest to the origin and integrity of the provided information and transmits the response message to the remote station via the communication network.

It is also possible, in the case of automatic tests, to use a software application implemented on the remote station to generate a sequence of commands in order to create a complete test scenario.

A device adapted to implement the invention or a part of the invention is illustrated on the figure 8 . The device 800 is for example a computer or a microcomputer.

• une unité centrale de traitement ou microprocesseur 803 (CPU, Central Processing Unit) ;
• une mémoire morte 804 (ROM, acronyme de Read Only Memory en terminologie anglo-saxonne) pouvant comporter les programmes "Prog", "Prog1" et "Prog2" ;
• une mémoire vive ou mémoire cache 806 (RAM, acronyme de Random Access Memory en terminologie anglo-saxonne) comportant des registres adaptés à enregistrer des variables et paramètres créés et modifiés au cours de l'exécution des programmes précités ; et,
• une interface de communication 818 adaptée à transmettre et à recevoir des données.

The device 800 here comprises a communication bus 802 to which are connected:

• a central processing unit or microprocessor 803 (CPU, Central Processing Unit);
• a ROM 804 (ROM, acronym for Read Only Memory in English terminology) may include programs "Prog", "Prog1" and "Prog2";
• a RAM or cache memory 806 (RAM, acronym for Random Access Memory in English terminology) having registers adapted to record variables and parameters created and modified during the execution of the aforementioned programs; and,
• a communication interface 818 adapted to transmit and receive data.

• d'un écran 808 permettant de visualiser des données et/ou de servir d'interface graphique avec l'utilisateur qui pourra interagir avec les programmes selon l'invention, à l'aide d'un clavier et d'une souris 810 ou d'un autre dispositif de pointage tel qu'un crayon optique, un écran tactile ou une télécommande ;
• d'un disque dur 812 pouvant comporter les programmes "Prog", "Prog1" et "Prog2" précités et des données traitées ou à traiter selon l'invention ; et,
• d'un lecteur de cartes mémoires 814 adapté à recevoir une carte mémoire 816 et à y lire ou à y écrire des données traitées ou à traiter selon l'invention.

Optionally, the device 800 may also have:

• a screen 808 for viewing data and / or to act as a graphical interface with the user who can interact with the programs according to the invention, using a keyboard and a mouse 810 or another pointing device such as an optical pen, a touch screen or a remote control;
• a hard disk 812 which may include the aforementioned "Prog", "Prog1" and "Prog2" programs and data processed or to be processed according to the invention; and,
• a memory card reader 814 adapted to receive a memory card 816 and to read or write to it data processed or to be processed according to the invention.

The communication bus allows communication and interoperability between the various elements included in the device 800 or connected to it. The representation of the bus is not limiting and, in particular, the central unit is able to communicate instructions to any element of the device 800 directly or via another element of the device 800.

The executable code of each program enabling the programmable device to implement the processes according to the invention can be stored, for example, in the hard disk 812 or in the read-only memory 804.

According to one variant, the memory card 816 may contain data, in particular signature keys, as well as the executable code of the aforementioned programs which, once read by the device 800, will be stored in the hard disk 812.

According to another variant, the executable code of the programs may be received, at least partially, via the interface 818, to be stored in the same manner as described above.

More generally, the program (s) may be loaded into one of the storage means of the device 800 before being executed.

The central unit 803 will control and direct the execution of the instructions or portions of software code of the program or programs according to the invention, instructions which are stored in the hard disk 812 or in the read-only memory 804 or in the other elements of aforementioned storage. When powering on, the program or programs that are stored in a non-volatile memory, for example the hard disk 812 or the read-only memory 804, are transferred into the random access memory 806 which then contains the executable code of the program or programs according to the invention, as well as registers for storing the variables and parameters necessary for the implementation of the invention.

The communication apparatus comprising the device according to the invention may also be a programmed apparatus. This device then contains the code of the computer program or programs for example frozen in a specific application integrated circuit (ASIC).

It should be noted that avionics maintenance application modules, like all embedded software applications in the secure part of the aircraft information system, are developed according to strict aeronautical standards to ensure a certain level of safety and security. demonstrate a level of prediction of system behavior.

As an illustration, the avionics maintenance application module hosting platform, whose level of quality assurance targeted software is DAL C, is developed in such a way that the level of control of the embedded code ensures, in particular, the integrity of the information generated (the hosting platform is, for example, developed according to the aeronautical standard DO-178B ).

Thus, the implementation of the invention in such a context ensures a certain level of integrity of the data and results transmitted to the remote station.

Naturally, to meet specific needs, a person skilled in the field of the invention may apply modifications in the foregoing description.

Claims (10)

A method for testing or evaluating the configuration of at least one piece of equipment in an aircraft, said aircraft comprising an onboard information system, said information system comprising a secure part and a less secure part, said less secure part including a network interface adapted to exchange data with an information system external to said aircraft, said secured part comprising at least one maintenance function, this method being characterized in that it comprises the following steps, receiving (400) at least one test command or evaluation of the configuration of said at least one device via said network interface; coding (410) said at least one received command; transmitting (415) said coded command to said secure part of said information system of said aircraft; in response to receiving said coded command, filtering (420) said at least one coded test command; and, in response to said step of filtering, translating and executing (425) said coded command in relation to said at least one maintenance function. The method of claim 1 further comprising a step of determining a result in response to said executing said at least one command and a step of transmitting (430, 435) said result to said external information system to said aircraft via said interface Communication. The method of claim 2 wherein said step of transmitting said result comprises a step of transmitting said result of said secure portion of said information system of said aircraft to said less secure portion of said aircraft information system and a step transmitting said result of said less secure portion of said information system of said aircraft to said information system external to said aircraft. A method according to any one of the preceding claims wherein said less secure portion comprises at least one second maintenance function, separate from said at least one maintenance function, called at least one first maintenance function, the method further comprising a step evaluating said at least one command adapted to determine if said at least one command is intended for said secure part or for said less secure part of said information system of said aircraft, said coding, filtering transmission, translation steps and executing said at least one command being executed if said at least one command is for said secure part of said information system of said aircraft. Method according to the preceding claim further comprising, if said at least one command is intended for said less secure part of said information system of said aircraft, a step of execution (445) of said at least one command received in relation to said less a second maintenance function. Method according to the preceding claim wherein said at least one received command is coded (440) prior to its execution. A method according to any preceding claim further comprising an initial step of establishing a secure communication channel between said information system of said aircraft and said information system external to said aircraft. Computer program comprising instructions adapted to the implementation of each of the steps of the method according to any one of the preceding claims when said program is executed on a computer. Device comprising means adapted to the implementation of each of the steps of the method according to any one of claims 1 to 7. Aircraft comprising the device according to the preceding claim.

Images